Skip to main content

Limiting spam attacks

·477 words·3 mins

My email address was the target of a spam attack a few years ago.

Someone had gotten ahold of my credit card info and email address (hosted at GMail) and tried to order a laptop from an Apple store a few states away. I got the email receipt, cancelled the order, and reported the fraudulent card use. I figured that’d be the end of it.

An hour or so after the laptop was supposed to be picked up, I got an email that said something along the lines of “you can’t even afford to buy me a laptop? how broke are you?” which like… That’s an odd way of looking at it.

About an hour after that, I started getting bombarded with spam. Job postings, “thanks for signing up for our newsletter” emails, seasonal specials for restaurants in Eastern Europe, Taiwanese toy wholesalers, you name it.

I was getting over 50 emails a minute for a while, and it was impacting my ability to log into and interact with my GMail account.

I had used this email address for everything on the internet for over a decade. I really didn’t want to abandon it because some jerk was mad I wouldn’t let them use my credit card.

Short term fix #

I needed to stem the flow, so I created a few rules:

  1. All of the mail that included a firstname used “John”, so I created a rule to delete any email that had “John” AND did not have “Sean”.
  2. Delete any email that matched “enquiry”, “following item”, “request following”, “wordpress”, “newsletter”, “unsubscribe”
  3. I also directly blocked many FROM addresses that were egregious senders.

I later changed these rules to “Skip Inbox, Mark as read, Apply label “Probably Trash”, Never mark it as important” and spent hours unsubscribing from things.

Longer term fix #

  1. I set up a catch-all address at a domain I hadn’t been using; email sent to any address at that domain ends up in the same mailbox.
    1. I know for sure these providers support this: Google GSuite, Protonmail, Fastmail, Godaddy, and Namecheap. I’m sure many others do as well.
  2. Every time I have to create an account somewhere, it gets a unique email address; if I create an email address for OpenAI, I register with the email [email protected], Linkedin is [email protected], etc.
  3. I was already doing this, but every account also gets a unique password.
  4. I claimed ownership of my domain with HaveIBeenPwned’s Domain Search. I now get alerted if any email at my domain shows up in a breach or a pastebin somewhere. This allows me to blackhole addresses that are likely to be abused, and because each vendor gets a different email, I never have to fear an attack like the one I had on my gmail account.

I wish more banks and credit card issuers supported single-use credit card numbers!